ostree VS Ansible

Ansible makes mutable changes to the OS, task by task.

Nix is immutable. A new change is made entirely new, and only after the build is successful, all packages are "symlinked" to the current system.

Fedora Silverblue is based on ostree [1]. It works similarly like git, but on your root tree. But it requires you to reboot the whole system for the changes to take effect. Since Nix is just symlinked packages, you don't need to reboot the system.

More detailed explanation here [2].

[1]: https://github.com/ostreedev/ostree

[2]: https://dataswamp.org/~solene/2023-07-12-intro-to-immutable-...

This one is for the ostree bug currently ongoing: https://github.com/ostreedev/ostree/issues/2900

This sounds related to the ostree bug.

I definitely agree that immutability offers considerable value in regards to improving security. But arguably it's insufficient to pull the win over mutable Fedora due to the losses caused by the inability to install the kernel-hardened package and the lack of UKI (Unified Kernel Image) support.

Other hardening guides mention a Unified Kernel Image as another measure to further improve security. Unfortunately, once more, this is (currently) not supported on Fedora Silverblue. I haven't seen it being done on openSUSE Aeon either. Though, once again, I'd love to be corrected!

The fedora crew is working on it through ostree though, so both fedora Silverblue and flatpak will be getting it (as well as true immutability) in the future: https://github.com/ostreedev/ostree/issues/2867

Aside from what has already been mentioned, Unified Kernel Image isn't supported (yet).

They support for-if from python, too: https://jinja.palletsprojects.com/en/3.1.x/templates/#loop-f... but I haven't tried the "recursive" keyword to know if ansible supports that. I say "ansible supports that" because they don't just drop jinja2 into ansible and call it a draw, they have a bunch of custom execution integrations: https://github.com/ansible/ansible/blob/v2.16.3/lib/ansible/...

To manage a VM, you can use something as simple as just manual actions over SSH, or can use tools like Ansible, Hashicorp's Packer and Terraform or other automations. For an app where there is minimal load and security/reliability concern, VMs are still a great option that provide a lot of value for the buck

In this article's context, it is simply a tool that provides a declarative way to automate your machine/OS to configure the development machine as you want (install package, modify the configuration, etc). Examples of these tools are Ansible, Puppet, etc.

Now we're getting more tangential, but for years, Ansible releases were named for Van Halen songs (see old Changelog here: https://github.com/ansible/ansible/blob/v1.8.4/CHANGELOG.md)

In the lab to follow, we'll quickly provision a 3-node kubeadm cluster (1 master, 2 workers) on the cloud provider of your choice using an automation stack comprised of OpenTofu and Ansible, then deploy Rook Ceph using the official Helm charts and confirm that we are now able to successfully create CSI volume snapshots from PVCs by reusing the MinIO example from our last article.

Ansible-Core ↗

The lookup works fine when parsed as say a msg and braced in "{{ }}" but we're told not to use jinja delimiters in when statements (no idea on the whys to that to be honest) - The issue lies around the first ": " and yaml sees that everything preceding this being a mapping... I have tried all manner of fixes described in YAML syntax error when string contains a colon + space · Issue #2769 · ansible/ansible (github.com) but no dice... the error is a variety of 'The error was: template error while templating string' type errors depending on what attempted fix I'm applying..

IBM -> RedHat -> Ansible (https://docs.ansible.com/platform.html)

I think the new ansible docs are opaque, and the new "everything is an ansible collection" scheme makes troubleshooting any issues reported by users hundreds of times harder than "the old days"

I keep this (https://github.com/ansible-community/ansible-build-data/blob...) bookmarked because it's the only way to match up what "ansible 8.1.0" (https://pypi.org/project/ansible/8.1.0/) even means since it for damn sure not any of this: https://github.com/ansible/ansible/releases (they used to have a 'release' pinned on that releases tab saying "these are not the droids you are looking for"). I believe I tried asking for them to update the completely erroneous pypi "source code" link to point to that repo and ... well, one can see how well that turned out